Contents

Details

Password Reset

Previous versions of Habari used a simple HTTP GET link for the password reset functionality. This left users exposed to a Cross Site Request Forgery. An attacker could leverage this to execute a denial of service attack against your mailbox, by flooding you with password reset emails.

Habari 0.6.2 switches the password reset mechanism to use HTTP POST in order to minimize this vulnerability.

Installer SQL injection

At the PHP|Tek conference, Sebastian Bergmann kindly revealed a security issue in the installation process of current versions of Habari. In order to leverage this vulnerability, several things need to be true:

an attacker needs to know your database username and password

an attacker needs to know your database name

you need to have the Habari source files online and publicly accessible

you need to have no config.php file

If those four things are true, the attacker can use the db_prefix field of the Habari installer to execute arbitrary SQL code.

This may seem esoteric, and of small consequence, but the Habari team prides itself on taking security seriously. We would hate for any users to experience any problems as a result of a vulnerability in our code, no matter how much of an outlier we might think an attack is.

Habari 0.6.2 resolves this issue by only allowing alphanumeric characters from the English alphabet to be used in the db_prefix field. Plans are underway for Habari 0.7 to allow full Unicode support for the db_prefix field. Users who require Unicode characters in the db_prefix field can manually configure a config.php file.

Credits

Sincere thanks to everyone who has contributed time and energy into continuing to make Habari the success that it is. The Habari community continues to expand, and bring new talent and passion together.

Special thanks to Sebastian Begrmann for identifying the installer SQL injection vulnerability fixed in this release.